Safari’s AutoFill reveals personal information

A feature of Apple’s Safari browser can be used by hackers to harvest personal information, says Jeremiah Grossman, founder and CTO of WhiteHat Security, in his recent blog post.

The feature in question is the AutoFill, and it automatically fills the text fields of forms in HTML pages with information such as name, address (city, state, country), company, email address, etc.

Unfortunately, this feature is enabled by default and pull this information from the local operating system address book – not from previously entered data that the browser “remembered” from when you entered it on a different website.

“All a malicious website would have to do to surreptitiously extract Address Book card data from Safari is dynamically create form text fields with the aforementioned names, probably invisibly, and then simulate A-Z keystroke events using JavaScript,” says Grossman. “When data is populated, that is AutoFill’ed, it can be accessed and sent to the attacker.”

The only information that the feature – for some reason – doesn’t automatically fill is the data starting with a number (phone number, street addresses) – so, yes, it could be worse.

“Still, such attacks could be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload,” says Grossman. “In fact, there is no guarantee this has not already taken place.”

He goes on to say that he contacted Apple with this information a little over a month ago, but has still received no reply from them other than an auto-response message. Until a fix is issued, he recommends to Safari users to disable the feature (Preferences > AutoFill > AutoFill web forms).